如何将 GCP 服务帐户 JSON 存储在 terraform 变量中?
How to store GCP Service Account JSON in a terrafrom variable?
我的 terraform gcp provider 配置看起来像
provider "google" {
project = var.project
region = var.region
credentials = file("account.json")
}
我想 运行 我的 terraform 文件在 terraform cloud 上,我不想将 account.json 文件放在源代码管理中。如何将 json GCP 服务帐户文件存储在 terraform 云中,然后从 terraform 脚本访问它?
您可以将凭据作为 Multi-Line value called google_credentials in the Terraform Cloud UI and mark it as a Sensitive Value 提供,并输入类似这样的内容以及您帐户的正确值(可能只是您已有的 account.json 文件的复制粘贴):
{
"type": "service_account",
"project_id": "project-id",
"private_key_id": "key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
"client_email": "service-account-email",
"client_id": "client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}
然后,您可以将工作区变量中的凭据提供给 Terraform 模块中的 google 提供程序,如下所示作为单个变量,该变量将被解释为 JSON:
provider "google" {
project = var.project
region = var.region
credentials = var.google_credentials
}
variable "google_credentials" {
description = "the contents of a service account key file in JSON format."
type = string
}
credentials - (Optional) Either the path to or the contents of a service account key file in JSON format. You can manage key files using the Cloud Console.
更好的答案是通过 运行
删除服务帐户密钥文件中的换行符
tr -d '\n' < current_service_key.json > no_new_line_key.json
将“no_new_line_key.json”的内容粘贴到 Terraform Cloud 的变量部分,并使用此处记录的任何变量名称,例如 GOOGLE_CREDENTIALS 或 GOOGLE_CLOUD_KEYFILE_JSON:(https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference).我用了 GOOGLE_CREDENTIALS
Screenshot of the configuration
我的 terraform gcp provider 配置看起来像
provider "google" {
project = var.project
region = var.region
credentials = file("account.json")
}
我想 运行 我的 terraform 文件在 terraform cloud 上,我不想将 account.json 文件放在源代码管理中。如何将 json GCP 服务帐户文件存储在 terraform 云中,然后从 terraform 脚本访问它?
您可以将凭据作为 Multi-Line value called google_credentials in the Terraform Cloud UI and mark it as a Sensitive Value 提供,并输入类似这样的内容以及您帐户的正确值(可能只是您已有的 account.json 文件的复制粘贴):
{
"type": "service_account",
"project_id": "project-id",
"private_key_id": "key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
"client_email": "service-account-email",
"client_id": "client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}
然后,您可以将工作区变量中的凭据提供给 Terraform 模块中的 google 提供程序,如下所示作为单个变量,该变量将被解释为 JSON:
provider "google" {
project = var.project
region = var.region
credentials = var.google_credentials
}
variable "google_credentials" {
description = "the contents of a service account key file in JSON format."
type = string
}
credentials - (Optional) Either the path to or the contents of a service account key file in JSON format. You can manage key files using the Cloud Console.
更好的答案是通过 运行
删除服务帐户密钥文件中的换行符tr -d '\n' < current_service_key.json > no_new_line_key.json
将“no_new_line_key.json”的内容粘贴到 Terraform Cloud 的变量部分,并使用此处记录的任何变量名称,例如 GOOGLE_CREDENTIALS 或 GOOGLE_CLOUD_KEYFILE_JSON:(https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference).我用了 GOOGLE_CREDENTIALS
Screenshot of the configuration